OWASP OpenStack Security Project

Main

The OWASP OpenStack Security project is an attempt to bridge two large open source communities: OWASP and OpenStack. Since I am a member of the OpenStack Security Group (OSSG) and and the leader of this project and other OWASP projects, I am active in both communities and realized that getting the two groups together can inprove both communities.

I work on OpenStack security currently and there is plenty of work to share. Depending on your skillset and interests, here's some things I've considered for inclusion in this project:

Creation of tools to help assess the security of OpenStack - either the source code or a working implemetation of OpenStack

Reviews of the Python source to try and gather data around dependencies, potentially dangerous calls, 3rd party libraries, etc

Dynamic (aka pen testing) Horizon, the community web-based control panel for OpenStack

Reviews of what is logged in the various bits of OpenStack to look for logging of sensitive information

Review the inter-product communication to find more secure methods to connect various sub-projects in OpenStack

Your idea here

Depending on what the project is working on, I have access to compute resources and can provide access to project members to have a safe place to conduct testing. This is a very new OWASP project (started in Feb of 2013) so for now, please join the [mail list] and let us know what your interests are.

Full Disclosure: I work for Rackspace, one of the founding members of the OpenStack Foundation, and work in the product security group which is responsible for the secure SDLC activities for all Rackspace cloud products - most of which are part of OpenStack. Additionally, OWASP's IT infrastructure (including this wiki) have been hosted since 2011 on Rackspace's Open Cloud which is powered by OpenStack.

We're a new OWASP project, join the [mail list] and let us know what you're interested or ask how you can help!

Some background on the project leader for the curious:

I have been very involved in OWASP since 2008 and served on the Foundation board until January 2013. I am the project leader for the OWASP WTE project (formerly known as the OWASP Live CD project) and have been involved in serveral other projects and committees. Application Security is a passion of mine and can be traced back to my first days developing software for an international telecom.

I'm also a member of the OSSG - OpenStack Security Group. This is a group of OpenStack community members with a particular interest in security. Its a mix of inplementors (those deploying OpenStack) and application security people who are more focused on the code base for OpenStack. It is a very new group with a few members currently - espcially when compared to the number of developers in OpenStack.

My day job is the lead for product security at Rackspace. As one of the founding members of the OpenStack foundation, Rackspace obviously has an interest in keeping OpenStack moving forward over time.

Selfishly, OWASP's IT infrastructure is currently running on OpenStack because of a donation of hosting from Rackspace back in 2011. I'd love to hlep make sure the software which is running OWASP's IT infrastructure is hardened and secure.

PROJECT INFOWhat does this OWASP project offer you?

RELEASE(S) INFOWhat releases are available for this project?

what

is this project?

Name: OWASP OpenStack Security Project (home page)

Purpose: The OWASP OpenStack Security Project is an effort to provide security testing techniques and tools to assess the security of the OpenStack code base. Generally speaking, the OpenStack community is primarily developers of OpenStack and companies which are implementing all or parts of OpenStack. This project provides a bridge between the OpenStack community and the OWASP community of security professionals. The project leader is also a member of OpenStack and is a member of the OpenStack Security Group. OpenStack has the desire to be the Linux of Cloud infrastructure and OWASP can be the community that ensures the security of that Cloud.